I am using captive portal to authenticate routed traffic from a WiFi net to my home network. A pfSense box is the DHCP server on the WiFi network. WiFi clients get their IP address by DHCP without problem and without requiring authentication from the captive portal. I don't know if Captive Portal operates at layer 2 (bridging) or layer 3 (routing). I have no experience with Captive Portal on a bridged interface. Do you really need to bridge WiFi net and LAN? You mentioned DHCP relay. Why not use the pfSense box as DHCP server? If you are reasonably experienced with pfSense you could probably fairly easily set up something like what you described so you can experiment with it.

I saw several people complaining about that a while back. I don't know if it will help, but perhaps a firmware update might also work. Otherwise you will have to find a way to compile and use a different kernel or module. This is one reason I look for Intel NIC based servers when I can.

@anothereric: Maybe I'll try fooling with gitsync on my mule just for the cheap thrill. If you have a test box setup then go for it. Once you're happy with the procedure then you can make a decision on your main box. Steve

Not sure…. maybe I was tired ... maybe something went wrong when I was installing as I have now reinstalled the latest build again and it is working fine..... hate these sort of issues...must have been me  :-\

So, I was able to follow this tutorial and it worked out great!! Thanks!! I just have one question…. I've been reading about pre-shared key authentication versus X.509 PKI authentication as seen in this article http://www.iceflatline.com/2010/10/secure-remote-access-to-your-home-network-using-pfsense-and-openvpn/, so my question is… which one does this set up. There appears to be a 2048-bit OpenVPN static key in the server setup, which I assume is the shared key which leads me to believe this is pre-shared key authentication. Am I correct? If so, what would I need to do to turn it into X.509? Thanks!

So I have a pfsense 1.2.3 router, with pppoe server it asigns a static ip to the client from my wan interface. works great here is the log. Oct 26 20:42:22 mpd: Incoming PPPoE connection request via em2: for service "*" from 00:0a:cd:14:d9:8e Oct 26 20:42:22 mpd: PROTOCOMP Oct 26 20:42:22 mpd: MRU 1492 Oct 26 20:42:22 mpd: MAGICNUM ec44aeac Oct 26 20:42:22 mpd: AUTHPROTO CHAP MD5 Oct 26 20:42:22 mpd: MAGICNUM 501be513 Oct 26 20:42:22 mpd: MAGICNUM 501be513 Oct 26 20:42:22 mpd: PROTOCOMP Oct 26 20:42:22 mpd: MRU 1492 Oct 26 20:42:22 mpd: MAGICNUM ec44aeac Oct 26 20:42:22 mpd: AUTHPROTO CHAP MD5 Oct 26 20:42:22 mpd: MRU 1492 Oct 26 20:42:22 mpd: MAGICNUM ec44aeac Oct 26 20:42:22 mpd: AUTHPROTO CHAP MD5 Oct 26 20:42:22 mpd: Name: "CSR" Oct 26 20:42:22 mpd: Peer name: "CSR" Oct 26 20:42:22 mpd: Response is valid Oct 26 20:42:22 mpd: IPADDR 192.168.101.2 Oct 26 20:42:24 mpd: IPADDR 192.168.101.2 Oct 26 20:42:24 mpd: IPADDR 192.168.101.2 Oct 26 20:42:24 mpd: 192.168.101.2 -> 173.160.XXX.XXX Can ping client after connection and connect to to Remote Desktop Server. I'm using VMWare ESXI, and when I pause the 1.2.3 router and enable the pppoe server on my new 2.0 router. With the same PPPOE Server config, everything looks good (after disabling compression and changed the auth to CHAP) but it seems that I can not ping or connect to the Remote Desktop Server like I can with the 1.2.3 Router.One last note is that I can ping the PPPOE client public IP when it connects to the PPPOE Server from the web interface. Oct 26 20:33:48 poes: Incoming PPPoE connection request via em4: for service "*" from 00:0a:cd:14:d9:8e Oct 26 20:33:48 poes: [poes10] Accepting PPPoE connection Oct 26 20:33:48 poes: [poes10] opening link "poes10"... Oct 26 20:33:48 poes: [poes10] link: OPEN event Oct 26 20:33:48 poes: [poes10] LCP: Open event Oct 26 20:33:48 poes: [poes10] LCP: state change Initial --> Starting Oct 26 20:33:48 poes: [poes10] LCP: LayerStart Oct 26 20:33:48 poes: [poes10] PPPoE: connection successful Oct 26 20:33:48 poes: [poes10] link: UP event Oct 26 20:33:48 poes: [poes10] link: origination is remote Oct 26 20:33:48 poes: [poes10] LCP: Up event Oct 26 20:33:48 poes: [poes10] LCP: state change Starting --> Req-Sent Oct 26 20:33:48 poes: [poes10] LCP: SendConfigReq #1 Oct 26 20:33:48 poes: PROTOCOMP Oct 26 20:33:48 poes: MRU 1492 Oct 26 20:33:48 poes: MAGICNUM c5d20912 Oct 26 20:33:48 poes: AUTHPROTO CHAP MD5 Oct 26 20:33:48 poes: [poes10] LCP: rec'd Configure Request #121 (Req-Sent) Oct 26 20:33:48 poes: MAGICNUM 24cbf809 Oct 26 20:33:48 poes: [poes10] LCP: SendConfigAck #121 Oct 26 20:33:48 poes: MAGICNUM 24cbf809 Oct 26 20:33:48 poes: [poes10] LCP: state change Req-Sent --> Ack-Sent Oct 26 20:33:48 poes: [poes10] LCP: rec'd Configure Reject #1 (Ack-Sent) Oct 26 20:33:48 poes: PROTOCOMP Oct 26 20:33:48 poes: [poes10] LCP: SendConfigReq #2 Oct 26 20:33:48 poes: MRU 1492 Oct 26 20:33:48 poes: MAGICNUM c5d20912 Oct 26 20:33:48 poes: AUTHPROTO CHAP MD5 Oct 26 20:33:48 poes: [poes10] LCP: rec'd Configure Ack #2 (Ack-Sent) Oct 26 20:33:48 poes: MRU 1492 Oct 26 20:33:48 poes: MAGICNUM c5d20912 Oct 26 20:33:48 poes: AUTHPROTO CHAP MD5 Oct 26 20:33:48 poes: [poes10] LCP: state change Ack-Sent --> Opened Oct 26 20:33:48 poes: [poes10] LCP: auth: peer wants nothing, I want CHAP Oct 26 20:33:48 poes: [poes10] CHAP: sending CHALLENGE len:20 Oct 26 20:33:48 poes: [poes10] LCP: LayerUp Oct 26 20:33:48 poes: [poes10] CHAP: rec'd RESPONSE #1 Oct 26 20:33:48 poes: Name: "CSR" Oct 26 20:33:48 poes: [poes10] AUTH: Auth-Thread started Oct 26 20:33:48 poes: [poes10] AUTH: Trying INTERNAL Oct 26 20:33:48 poes: [poes10] AUTH: INTERNAL returned undefined Oct 26 20:33:48 poes: [poes10] AUTH: Auth-Thread finished normally Oct 26 20:33:48 poes: [poes10] CHAP: ChapInputFinish: status undefined Oct 26 20:33:48 poes: Response is valid Oct 26 20:33:48 poes: Reply message: Welcome Oct 26 20:33:48 poes: [poes10] CHAP: sending SUCCESS len:7 Oct 26 20:33:48 poes: [poes10] LCP: authorization successful Oct 26 20:33:48 poes: [poes10] Bundle up: 1 link, total bandwidth 64000 bps Oct 26 20:33:48 poes: [poes10] IPCP: Open event Oct 26 20:33:48 poes: [poes10] IPCP: state change Initial --> Starting Oct 26 20:33:48 poes: [poes10] IPCP: LayerStart Oct 26 20:33:48 poes: [poes10] IPCP: Up event Oct 26 20:33:48 poes: [poes10] IPCP: state change Starting --> Req-Sent Oct 26 20:33:48 poes: [poes10] IPCP: SendConfigReq #1 Oct 26 20:33:48 poes: IPADDR 10.5.250.4 Oct 26 20:33:48 poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting Oct 26 20:33:48 poes: [poes10] IPCP: rec'd Configure Request #123 (Req-Sent) Oct 26 20:33:48 poes: [poes10] IPCP: SendConfigAck #123 Oct 26 20:33:48 poes: [poes10] IPCP: state change Req-Sent --> Ack-Sent Oct 26 20:33:48 poes: [poes10] IPCP: rec'd Configure Ack #1 (Ack-Sent) Oct 26 20:33:48 poes: IPADDR 10.5.250.4 Oct 26 20:33:48 poes: [poes10] IPCP: state change Ack-Sent --> Opened Oct 26 20:33:48 poes: [poes10] IPCP: LayerUp Oct 26 20:33:48 poes: 10.5.250.4 -> 173.160.XXX.XXX Oct 26 20:33:48 poes: [poes10] IFACE: Up event Oct 26 20:33:48 poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting Oct 26 20:33:58 poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting Here is a copy of the mpd.conf from 2.0, Disabled compression and changed to chap pppoe_standard:         set bundle no multilink         #set bundle enable compression         set auth max-logins 1         set iface up-script /usr/local/sbin/vpn-linkup         set iface down-script /usr/local/sbin/vpn-linkdown         set iface idle 0         set iface disable on-demand         set iface disable proxy-arp         set iface enable tcpmssfix         set iface mtu 1500         set link no pap chap         set link enable chap         set link keep-alive 60 180         set ipcp yes vjcomp         set ipcp no vjcomp         set link max-redial -1         set link mtu 1492         set link mru 1492         set ccp yes mpp-e40         set ccp yes mpp-e128         set ccp yes mpp-stateless         set link latency 1         #set ipcp dns 10.10.1.3         #set bundle accept encryption         set ipcp dns 192.168.2.4 75.75.75.75 Questions Am I missing some firewall change that is different then 1.2.3 and need a rule to fix this? Why the change from CHAP to PAP as the default in 2.0? any thoughts on why the compression was throwing an error with 2.0 or did the 1.2.3 not show errors when it could not negotiate compression?

Looks like there is an error on that code then, it works if I run it slightly modified on the command line but not from php, seems to be various bits escaping that \n that trip it up, it needs to be \n to sed, but it's getting escaped to \n when executed.

There are references to the gateway in the rules, and likely the states, but I had thought when PPPoE disconnected it killed all states to the old gateway.

@jimp: Best way is to use remote syslog to push them off to another system where they can be kept indefinitely. There isn't a really good way to not clear them and also ensure that the log files are properly formatted at bootup (or there may be but nobody has had time to dig into that) So it's not a trivial matter to just pick up where it left off?  Dang.

So it seems that on the gui part, all is setup correctly? But If I connect to the pfsense box, it seems that OPT1( vlan 100 on em1) is still configured as the LAN interface. I can't use the 'assigned interface' option because it asks me to reconfigure all the vlan and interfaces. *** Welcome to pfSense 2.0-RELEASE-pfSense (i386) on 2idf00 ***   WAN (wan)                -> pppoe0    -> 1.1.1.1 (PPPoE)   OPT1 (lan)                -> em1_vlan100 -> NONE   WIFI (opt1)              -> ath0_wlan1 -> NONE   VLAN200 (opt2)            -> em1_vlan200 -> 192.168.2.1   VPN1 (opt3)              -> ovpns2    -> 10.0.1.1   DSL (opt4)                -> em0        -> 192.168.3.2   DMZ (opt5)                -> em1_vlan5  -> 192.168.5.1   LAN (opt6)                -> bridge0    -> 192.168.1.1 0) Logout (SSH only)                  8) Shell 1) Assign Interfaces                  9) pfTop 2) Set interface(s) IP address      10) Filter Logs 3) Reset webConfigurator password    11) Restart webConfigurator 4) Reset to factory defaults        12) pfSense Developer Shell 5) Reboot system                    13) Upgrade from console 6) Halt system                      14) Disable Secure Shell (sshd) 7) Ping host

On the synology servers a normal linux is installed. Install syslog on it and configure the pfSense to send all logs to your syslog-server (Status –> Systemlogs --> Settings). Since the DS111 is an ARM based system you might have to compile the syslog server yourself.

Thanks jimp for your update  :)

Ok, no problem, i just change the Timezone to America/Asuncion  now my FW has moved to Paraguay : :D Thanks Jimp for your time

yeah I saw your post about having updated your builds in ipv6 section – and when I get home prob update mine to that build.  Prob no issues and could kick it off remote, but since I vpn into my home network from work and kind of need to get work stuff done with stupid firewall rules they have here I can wait til local to update ;) Just looking forward to the freebsd 9 builds and actual section for 2.1 I guess.. Currently everything I am doing is working great on my build, but I like to run bleeding edge and help find issues when I can, etc.

The static entries have to be changed under the DHCP Server page. Old normal leases in the database can't be deleted if the mac address is still online as it thinks they're still active. You may be better off stopping the DHCP service, then rm /var/dhcpd/var/db/dhcpd.leases*, then start it again and just let it redo the whole db.

looks like the link didn't copy/paste right, it shouldn't have http :// in front of it for an FTP link. But it can be accessed via HTTP, just needs a slightly different URL. Plus FreeBSD moved the packages off to its ftp archive… So try: pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/pound.tbz

Possible, sure, but not easy. There isn't any code that would make that happen, but the necessary bits are on the box… there is an e-mail library, and the ability to add cron jobs. I wouldn't recommend sending your config via e-mail in plain text though, especially if it contains anything sensitive. There are many backup scenarios in the book and also on the doc wiki.

Free RAM is wasted RAM. If the system is just using it for caching and whatnot, that's better than letting it sit empty. Run top -SH for a bit and see what the memory breakdown looks like there.

That is an artificial limit in the GUI, largely since high numbers haven't been thoroughly tested/vetted. You can either edit the value in the config.xml directly to be larger and then reboot, or edit the page so it draws many more numbers to choose from. (or change it to a text entry field).

When you have it set to TCP it just tries to connect to the port, it doesn't check that a response is proper, only that a connection can be established.